tor[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

tor.exe
Size

4.3MB
MD5

21ef043ffdcb870b004fb9f319a8fb8c
SHA1

f02876e56abe4b7d8712faa82b0f4f2e2e7318ad
SHA256

5e7c0ed0ceba636c8a592f40716abaabe66ee79264825b7cb678f96bfaa05ee3
SHA512

642cd041eb5565325b9f59c4c5d2a3f0128f262ae04969e9a089cff1c805789f68d48ad33a325cc5a1bb72eed43f4f7e23ba0668deee98e25893c48a97e98e18
SSDEEP

49152:UZVwlXgccoMuclTLXDEcXgTHqJOgl732C3oiy/XnXErN9it3xC5QV9h1iTPSZn74:5AGqPon7jRUrYQIw7Cw9Yc3NbZ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
tor.exe

Files

tor.exe
.exe windows:4 windows x64

e8b2a5884ae1195cc8c34e89fc497a95

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

libevent-2-1-7

evdns_add_server_port_with_base
evdns_base_clear_nameservers_and_suspend
evdns_base_config_windows_nameservers
evdns_base_count_nameservers
evdns_base_get_nameserver_addr
evdns_base_nameserver_ip_add
evdns_base_new
evdns_base_resolv_conf_parse
evdns_base_resolve_ipv4
evdns_base_resolve_ipv6
evdns_base_resolve_reverse
evdns_base_resolve_reverse_ipv6
evdns_base_resume
evdns_base_search_clear
evdns_base_set_option
evdns_close_server_port
evdns_server_request_add_a_reply
evdns_server_request_add_aaaa_reply
evdns_server_request_add_ptr_reply
evdns_server_request_get_requesting_addr
evdns_server_request_respond
evdns_set_log_fn
evdns_set_random_bytes_fn
evdns_shutdown
event_active
event_add
event_base_free
event_base_get_method
event_base_loop
event_base_loopbreak
event_base_loopexit
event_base_new_with_config
event_config_free
event_config_new
event_config_set_flag
event_config_set_num_cpus_hint
event_del
event_free
event_get_version
event_new
event_pending
event_set_log_callback
event_set_mem_functions
evutil_secure_rng_add_bytes
evutil_secure_rng_get_bytes
evutil_secure_rng_init
evutil_secure_rng_set_urandom_device_file

libssp-0

__stack_chk_fail
__stack_chk_guard

advapi32

CryptAcquireContextA
CryptGenRandom

iphlpapi

GetAdaptersAddresses

kernel32

CloseHandle
CreateEventA
CreateFileA
CreateFileMappingA
CreateNamedPipeA
CreateProcessA
DeleteCriticalSection
EnterCriticalSection
FindClose
FindFirstFileA
FindNextFileA
FormatMessageA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetFileSize
GetLastError
GetModuleFileNameA
GetProcAddress
GetStartupInfoA
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
GlobalMemoryStatusEx
HeapSetInformation
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
LoadLibraryA
LocalFree
MapViewOfFile
OpenProcess
QueryPerformanceCounter
QueryPerformanceFrequency
ReadFileEx
ResetEvent
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetConsoleCtrlHandler
SetEvent
SetHandleInformation
SetLastError
SetUnhandledExceptionFilter
Sleep
SleepEx
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
UnmapViewOfFile
VirtualLock
VirtualProtect
VirtualQuery
WaitForSingleObject
WideCharToMultiByte
WriteFileEx

msvcrt

__C_specific_handler
__getmainargs
__initenv
__iob_func
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthread
_cexit
_chsize
_endthread
_environ
_errno
_fmode
_fstat64
_fullpath
_getpid
_getwch
_gmtime64
_initterm
_localtime64
_locking
_lseek
_lseeki64
_mktime64
_onexit
_putch
_snprintf
_stat64
_stricmp
_strnicmp
_time64
_vsnprintf
abort
atoi
calloc
exit
fclose
feof
fgetc
fgets
fopen
fprintf
fputs
free
frexp
fwrite
islower
isspace
isupper
localeconv
malloc
memchr
memcmp
memcpy
memmove
memset
printf
puts
qsort
realloc
rename
signal
strcat
strchr
strcmp
strcspn
strerror
strftime
strlen
strncmp
strncpy
strpbrk
strrchr
strspn
strstr
strtol
strtoul
vfprintf
_write
_utime
_unlink
_strdup
_read
_open
_mkdir
_getcwd
_fileno
_fdopen
_close

shell32

SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation

ws2_32

WSACleanup
WSAGetLastError
WSAIoctl
WSASetLastError
WSAStartup
accept
bind
closesocket
connect
gethostbyname
gethostname
getsockname
getsockopt
htonl
htons
ioctlsocket
listen
ntohl
ntohs
recv
send
setsockopt
socket

libcrypto-1_1-x64

ASN1_TIME_print
BIO_ctrl
BIO_free
BIO_method_type
BIO_new
BIO_new_socket
BIO_next
BIO_number_read
BIO_number_written
BIO_s_mem
BN_bin2bn
BN_bn2bin
BN_bn2hex
BN_clear_free
BN_cmp
BN_copy
BN_dup
BN_free
BN_hex2bn
BN_is_word
BN_new
BN_num_bits
BN_set_word
BN_sub_word
BN_to_ASN1_INTEGER
CONF_modules_unload
CRYPTO_free
CRYPTO_get_ex_new_index
DH_compute_key
DH_free
DH_generate_key
DH_get0_key
DH_new
DH_set0_pqg
DH_set_length
DH_size
DH_up_ref
EC_GFp_mont_method
EC_GFp_nist_method
EC_GFp_simple_method
EC_GROUP_method_of
EC_KEY_free
EC_KEY_get0_group
EC_KEY_new_by_curve_name
ENGINE_by_id
ENGINE_ctrl_cmd_string
ENGINE_free
ENGINE_get_cipher_engine
ENGINE_get_default_DH
ENGINE_get_default_EC
ENGINE_get_default_RAND
ENGINE_get_default_RSA
ENGINE_get_digest_engine
ENGINE_get_id
ENGINE_get_name
ENGINE_load_builtin_engines
ENGINE_register_all_complete
ENGINE_set_default
ERR_func_error_string
ERR_get_error
ERR_lib_error_string
ERR_peek_error
ERR_reason_error_string
EVP_CIPHER_CTX_free
EVP_CIPHER_CTX_new
EVP_CIPHER_CTX_reset
EVP_EncryptInit
EVP_EncryptUpdate
EVP_PKEY_CTX_ctrl
EVP_PKEY_CTX_free
EVP_PKEY_CTX_new_id
EVP_PKEY_assign
EVP_PKEY_base_id
EVP_PKEY_bits
EVP_PKEY_cmp
EVP_PKEY_derive
EVP_PKEY_derive_init
EVP_PKEY_free
EVP_PKEY_get1_RSA
EVP_PKEY_new
EVP_aes_128_ctr
EVP_aes_192_ctr
EVP_aes_256_ctr
EVP_sha256
HMAC
OBJ_txt2nid
OPENSSL_sk_num
OPENSSL_sk_value
OpenSSL_version
OpenSSL_version_num
PKCS5_PBKDF2_HMAC_SHA1
RAND_OpenSSL
RAND_bytes
RAND_get_rand_method
RAND_poll
RAND_seed
RAND_set_rand_method
RAND_status
RSAPrivateKey_dup
RSAPublicKey_dup
RSA_bits
RSA_check_key
RSA_free
RSA_generate_key_ex
RSA_get0_d
RSA_get0_dmp1
RSA_get0_dmq1
RSA_get0_e
RSA_get0_factors
RSA_get0_iqmp
RSA_get0_key
RSA_get0_n
RSA_get0_p
RSA_get0_q
RSA_new
RSA_private_decrypt
RSA_private_encrypt
RSA_public_decrypt
RSA_public_encrypt
RSA_size
SHA1
SHA1_Final
SHA1_Init
SHA1_Update
SHA256
SHA256_Final
SHA256_Init
SHA256_Update
SHA512
SHA512_Final
SHA512_Init
SHA512_Update
X509_NAME_add_entry_by_NID
X509_NAME_free
X509_NAME_new
X509_STORE_add_cert
X509_cmp
X509_cmp_time
X509_dup
X509_free
X509_get0_notAfter
X509_get0_notBefore
X509_get_pubkey
X509_get_serialNumber
X509_getm_notAfter
X509_getm_notBefore
X509_new
X509_set_issuer_name
X509_set_pubkey
X509_set_subject_name
X509_set_version
X509_sign
X509_time_adj
X509_verify
d2i_RSAPrivateKey
d2i_RSAPublicKey
d2i_X509
i2d_RSAPrivateKey
i2d_RSAPublicKey
i2d_X509

libssl-1_1-x64

OPENSSL_init_ssl
SSL_CIPHER_find
SSL_CIPHER_get_id
SSL_CIPHER_get_name
SSL_CTX_check_private_key
SSL_CTX_ctrl
SSL_CTX_free
SSL_CTX_get_cert_store
SSL_CTX_new
SSL_CTX_set_options
SSL_CTX_set_security_level
SSL_CTX_set_verify
SSL_CTX_use_PrivateKey
SSL_CTX_use_certificate
SSL_SESSION_get_master_key
SSL_accept
SSL_connect
SSL_ctrl
SSL_export_keying_material
SSL_free
SSL_get_certificate
SSL_get_client_ciphers
SSL_get_client_random
SSL_get_current_cipher
SSL_get_error
SSL_get_ex_data
SSL_get_options
SSL_get_peer_cert_chain
SSL_get_peer_certificate
SSL_get_rbio
SSL_get_server_random
SSL_get_session
SSL_get_state
SSL_get_wbio
SSL_new
SSL_pending
SSL_read
SSL_set_bio
SSL_set_cipher_list
SSL_set_ex_data
SSL_set_info_callback
SSL_set_options
SSL_set_session_secret_cb
SSL_set_verify
SSL_state_string_long
SSL_version
SSL_write
TLS_method

zlib1

deflate
deflateEnd
deflateInit2_
inflate
inflateEnd
inflateInit2_
zlibVersion

Sections

.text
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 53KB - Virtual size: 53KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 686KB - Virtual size: 686KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 98KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 25KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e8b2a5884ae1195cc8c34e89fc497a95

Headers

DLL Characteristics

File Characteristics

Imports

libevent-2-1-7

libssp-0

advapi32

iphlpapi

kernel32

msvcrt

shell32

ws2_32

libcrypto-1_1-x64

libssl-1_1-x64

zlib1

Sections

.text Size: 3.3MB - Virtual size: 3.3MB

.data Size: 53KB - Virtual size: 53KB

.rdata Size: 686KB - Virtual size: 686KB

.pdata Size: 96KB - Virtual size: 95KB

.xdata Size: 98KB - Virtual size: 98KB

.bss Size: - Virtual size: 25KB

.idata Size: 17KB - Virtual size: 17KB

.CRT Size: 512B - Virtual size: 104B

.tls Size: 512B - Virtual size: 16B

.reloc Size: 6KB - Virtual size: 5KB

.text
Size: 3.3MB - Virtual size: 3.3MB

.data
Size: 53KB - Virtual size: 53KB

.rdata
Size: 686KB - Virtual size: 686KB

.pdata
Size: 96KB - Virtual size: 95KB

.xdata
Size: 98KB - Virtual size: 98KB

.bss
Size: - Virtual size: 25KB

.idata
Size: 17KB - Virtual size: 17KB

.CRT
Size: 512B - Virtual size: 104B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 6KB - Virtual size: 5KB